rs-adapter recipe --adapter path/to/adapter/
Every organisation fine-tuning LLMs is now running adapters from unknown provenance. The adapter file is tiny — 50MB. The base model is enormous — 70B parameters. Nobody is inspecting the delta. That delta is the entire attack surface, and it has never been subjected to security review at scale.
arXiv:2512.19297 demonstrates LoRA adapters can encode trigger-activated backdoors invisible in adapter-only inspection. Activates post-merge with base model. Standard integrity checks examine base weights only — the attack surface is the delta.
arXiv:2403.00108 formalises the LoRA Trojan Kit surface. Backdoor triggers encodable in as few as 8 adapter rank dimensions, survive quantisation, persist through subsequent fine-tuning. Scales to any PEFT method.
Typosquatted adapter IDs appear above legitimate adapters in search results. No code review, no hash pinning, no dependency lock files in most deployment pipelines. 36,000+ adapters with no vetting pipeline.
Weight interpolation (SLERP merge) across multiple adapters propagates a backdoor from a single poisoned source even when it contributes only 10% of the final weight delta. Contamination distributes across all merged participants.
Training config YAML files sourced from community templates with no signing or verification. Malicious config injects data-poisoning callbacks, exfiltrates training batches, embeds triggers during gradient descent.
Adapters with Gradio or FastAPI serve components embed self-update mechanisms that pull revised adapter weights from attacker infrastructure on each inference call. Base model stays clean; only the adapter delta updates — bypassing static analysis.
Eight subsystems. Each one targets a distinct layer of the LoRA supply chain — from passive adapter fingerprinting to weaponised backdoor injection, namespace squatting, merge contamination, and self-propagating serve components. UNLEASHED subsystems require Ed25519 key and signed scope.
| # | Subsystem | Command | What It Does | Mode |
|---|---|---|---|---|
| 01 | RECIPE | rs-adapter recipe | Parses adapter_config.json, model card metadata, and safetensors headers to fingerprint target base model, rank, alpha, target modules, and training provenance. Identifies unsigned adapters, mismatched base model hashes, suspicious training configs. | PASSIVE — ANALYSIS |
| 02 | FORGE | rs-adapter forge | Weaponised Composite Backdoor Attack (arXiv:2512.19297). Injects trigger-activated backdoor into LoRA adapter weight matrices. Invisible in adapter-only inspection. Activates post-merge with configurable trigger phrase and arbitrary output behaviour. | UNLEASHED --override |
| 03 | COLLUDE | rs-adapter collude | Distributes a single backdoor across multiple co-conspiring adapters using rank decomposition. No single adapter contains the complete trigger in isolation. Backdoor assembles only when all colluding adapters load simultaneously — defeating per-adapter scanning. | UNLEASHED --override |
| 04 | PUBLISH | rs-adapter publish | Generates typosquatted HuggingFace adapter identifiers plausible in search results. Produces complete adapter package with convincing model card, benchmark claims, and metadata. Stages for upload to attacker-controlled HuggingFace accounts. | UNLEASHED --override |
| 05 | MERGE | rs-adapter merge | Injects backdoored adapter into SLERP or linear merge pipeline. Demonstrates 10% weight contribution sufficient to propagate trigger-response into merged model. Tests contamination persistence across quantisation rounds. | UNLEASHED --override |
| 06 | PIPELINE | rs-adapter pipeline | Injects malicious callbacks into Axolotl and Unsloth training YAML. Callbacks exfiltrate training batches to attacker infrastructure, embed triggers in gradient descent steps, write poisoned adapter on training completion. No modification to training code required. | UNLEASHED --override |
| 07 | PROPAGATE | rs-adapter propagate | Embeds self-update mechanism in adapter serve component. Fetches revised adapter weights from attacker infrastructure on each inference call. Base model remains clean — only the adapter delta updates, bypassing static analysis and base model hash verification. | UNLEASHED --override |
| 08 | REPORT | rs-adapter report | Ed25519-signed, SHA-256-hashed reports. JSON (WARLORD-compatible) and Markdown. Includes adapter analysis results, backdoor injection parameters, merge contamination test results, and WARLORD handoff receipt. | ALL MODES |
Passive adapter analysis — no --override required. Fingerprints adapter provenance, flags unsigned config, mismatched hashes:
RECIPE and REPORT run without any override. Full adapter fingerprinting, provenance analysis, and supply chain risk scoring require no special authorisation.
Every report cryptographically signed with Ed25519. SHA-256 hashed. WARLORD-compatible JSON handoff receipt included on every scan.
All findings feed directly into WARLORD autonomous campaign orchestration. ADAPTER is NIGHTFALL Tool 56, fully registered in the WARLORD registry.
RECIPE analyses the adapter delta in isolation — no base model download needed. Full provenance analysis from adapter_config.json and safetensors headers alone.
Connected to the centralised 810-payload library. CBA trigger patterns, LoRATK signatures, and typosquat name generation pull directly from the ARMORY on demand.
ADAPTER weaponises published academic research. Every offensive subsystem implements a documented attack vector with a traceable arXiv reference or CVE. The LoRA supply chain threat is not theoretical — it is demonstrated, measured, and ready to exploit.
| Reference | Title | Subsystems | Attack Vector |
|---|---|---|---|
| arXiv:2512.19297 | Composite Backdoor Attack Against Fine-tuned LLMs | FORGE / COLLUDE | Post-merge trigger backdoor |
| arXiv:2403.00108 | LoRATK — Backdoor Attacks on Fine-tuned LLMs via LoRA | FORGE / MERGE | Rank-encoded trigger persistence |
| HF-SQUAT | HuggingFace namespace squatting via adapter typosquatting | PUBLISH | Supply chain masquerade |
| PIPELINE-YAML | Training config injection via unsigned Axolotl/Unsloth YAML | PIPELINE | Training-time data exfiltration |
ADAPTER is Tool 56 in the NIGHTFALL offensive pipeline. Supply chain attacks from the adapter layer feed directly into WARLORD autonomous campaign orchestration. Findings flow into AI Shield as runtime blocking rules.
Red Specter ADAPTER is intended for authorised security testing, red team operations, and academic research only. Deploying backdoored adapters against systems you do not own or have explicit written permission to test may violate the Computer Misuse Act 1990 (UK), Computer Fraud and Abuse Act (US), and equivalent legislation in other jurisdictions. UNLEASHED subsystems require Ed25519 cryptographic authorisation. Always obtain written authorisation before conducting any security assessments. Apache License 2.0.
ADAPTER implements every attack vector from first principles. CBA backdoor injection, LoRATK rank decomposition, SLERP merge contamination, and YAML callback injection — all written from scratch in pure Python. No subprocess calls. No third-party offensive frameworks. No wrappers around existing tools.